How to set up an OpenVPN server

Prerequisites

Easy Windows Guide
Organizational Unit Name eg, section []: In order to view the available object list you can use the following command: This configuration uses the Linux ability to change the permission of a tun device, so that unprivileged user may access it. This is often preferred on the server machine, as well as any machines which will be constantly connected to the server. Next, let's translate this map into an OpenVPN server configuration. Now, try a ping across the VPN from the client.

Context Navigation


While addresses from these netblocks should normally be used in VPN configurations, it's important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:. For example, suppose you use the popular You will have a routing conflict because your machine won't know if As another example, suppose you want to link together multiple sites by VPN, but each site is using This won't work without adding a complexifying layer of NAT translation, because the VPN won't know how to route packets between multiple sites if those sites don't use a subnet which uniquely identifies them.

The best solution is to avoid using Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely.

The best candidates are subnets in the middle of the vast The first step in building an OpenVPN 2. The PKI consists of:.

OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.

Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority CA , and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type client or server.

Note that the server and client clocks need to be roughly in sync or certificates might not work properly. If you're using OpenVPN 2. If you installed from a. Run the following batch file to copy configuration files into place this will overwrite any preexisting vars. Now edit the vars file called vars. Don't leave any of these parameters blank.

The final command build-ca will build the certificate authority CA certificate and key by invoking the interactive openssl command:. Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars. The only parameter which must be explicitly entered is the Common Name. As in the previous step, most parameters can be defaulted.

When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? If you would like to password-protect your client keys, substitute the build-key-pass script. Remember that for each client, make sure to type the appropriate Common Name when prompted, i.

Always use a unique common name for each client. Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:. The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. Now wait, you may say.

Shouldn't it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request CSR to the key-signing machine.

In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret. It's best to use the OpenVPN sample configuration files as a starting point for your own configuration.

These files can also be found in. On Windows they are named server. The sample server configuration file is an ideal starting point for an OpenVPN server configuration. Before you use the sample configuration file, you should first edit the ca , cert , key , and dh parameters to point to the files you generated in the PKI section above.

At this point, the server configuration file is usable, however you still might want to customize it further:. If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:. The sample client configuration file client. To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line or right-click on the.

As in the server configuration, it's best to initially start the OpenVPN server from the command line or on Windows, by right-clicking on the client. A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message. Now, try a ping across the VPN from the client.

If you are using routing i. If you are using bridging i. If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:. See the access policies section below. You have a one-way connection from client to server.

The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be a a personal software firewall running on the client, or b the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information. When executed, the initscript will scan for. The Windows installer will set up a Service Wrapper, but leave it turned off by default. This will configure the service for automatic start on the next reboot. Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal if you are starting openvpn with an initscript , the script may already be passing a --writepid directive on the openvpn command line.

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process. Files in this directory can be updated on-the-fly, without restarting the server.

Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client or one which has disconnected, but where the server has not timed-out its instance object , kill the client instance object by using the management interface described below. This will cause the client to reconnect and use the new client-config-dir file. If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface described below.

You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:. This tells OpenVPN to listen on TCP port for management interface clients port is an arbitrary choice -- you can use any free port. Once OpenVPN is running, you can connect to the management interface using a telnet client. Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

For the purpose of this example, we will assume that the server-side LAN uses a subnet of First, you must advertise the This can easily be done with the following server-side config file directive:. One of the benefits of using ethernet bridging is that you get this for free without needing any additional configuration.

In a typical road-warrior or remote access scenario, the client machine connects to the VPN as a single machine. But suppose the client machine is a gateway for a local LAN such as a home office , and you would like each machine on the client LAN to be able to route through the VPN.

For this example, we will assume that the client LAN is using the Next, we will deal with the necessary configuration changes on the server side.

If the server configuration file does not currently reference a client configuration directory, add one now:. In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client.

The next step is to create a file called client2 in the ccd directory. This file should contain the line:. This will tell the OpenVPN server that the Why the redundant route and iroute statements, you might ask? Next, ask yourself if you would like to allow network traffic between client2's subnet If so, add the following to the server config file. This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs The outgoing ping would probably reach the machine, but then it wouldn't know how to route the ping reply, because it would have no idea how to reach This requires a more complex setup maybe not more complex in practice, but more complicated to explain in detail:.

For example, suppose you would like connecting clients to use an internal DNS server at Add this to the OpenVPN server configuration:. To test this feature on Windows, run the following from a command prompt window after the machine has connected to an OpenVPN server:.

Suppose we are setting up a company VPN, and we would like to establish separate access policies for 3 different classes of users:. The basic approach we will take is a segregate each user class into its own virtual IP address range, and b control access to machines by setting up firewall rules which key off the client's virtual IP address.

In our example, suppose that we have a variable number of employees, but only one system administrator, and two contractors. Our IP allocation approach will be to put all employees into an IP address pool, and then allocate fixed IP addresses for the system administrator and contractors. Note that one of the prerequisites of this example is that you have a software firewall running on the OpenVPN server machine which gives you the ability to define specific firewall rules.

For our example, we will assume the firewall is Linux iptables. Next, let's translate this map into an OpenVPN server configuration. First of all, make sure you've followed the steps above for making the First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules:. Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory:.

Now place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client. Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:. This completes the OpenVPN configuration.

The final step is to add firewall rules to finalize the access policy. For this example, we will use firewall rules in the Linux iptables syntax:. To use this authentication method, first add the auth-user-pass directive to the client configuration. Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL.

The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure 1 or success 0 value. Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. See the description of auth-user-pass-verify in the manual page for more information. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below.

To use it, add this to the server-side config file:. For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam. Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.

Dual-factor authentication is a method of authentication that combines two elements: Something you have should be a device that cannot be duplicated; such a device can be a cryptographic token that contains a private secret key. This private key is generated inside the device and never leaves it. If a user possessing this token attempts to access protected services on a remote network, the authorization process which grants or denies network access can establish, with a high degree of certainty, that the user seeking access is in physical possession of a known, certified token.

Something you know can be a password presented to the cryptographic device. Without presenting the proper password you cannot access the private secret key. Another feature of cryptographic devices is to prohibit the use of the private secret key if the wrong password had been presented more than an allowed number of times.

This behavior ensures that if a user lost his device, it would be infeasible for another person to use it.

Cryptographic devices are commonly called "smart cards" or "tokens", and are used in conjunction with a PKI Public Key Infrastructure. The VPN server can examine a X. Since the device cannot be duplicated and requires a valid password, the server is able to authenticate the user with a high degree of confidence.

Dual-factor authentication is much stronger than password-based authentication, because in the worst-case scenario, only one person at a time can use the cryptographic token. Passwords can be guessed and can be exposed to other users, so in the worst-case scenario an infinite number of people could attempt to gain unauthorized access when resources are protected using password-only authentication. If you store the secret private key in a file, the key is usually encrypted by a password. Unlike when using a cryptographic device, the file cannot erase itself automatically after several failed decryption attempts.

This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions.

Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence any kind of device and resource sharing multiple applications accessing multiple devices , presenting to applications a common, logical view of the device called a cryptographic token.

To summarize, PKCS 11 is a standard that can be used by application software to access cryptographic tokens such as smart cards and other devices. Most device vendors provide a library that implements the PKCS 11 provider interface -- this library can be used by applications in order to access these devices. PKCS 11 is a cross-platform, vendor-independent free standard. The first thing you need to do is to find the provider library, it should be installed with the device drivers.

Each vendor has its own library. A configured token is a token that has a private key object and a certificate object, where both share the same id and label attributes.

A simple enrollment utility is Easy-RSA 2. Each PKCS 11 provider can support multiple devices. In order to view the available object list you can use the following command:. The serialized id string of the requested certificate should be specified to the pkcsid option using single quote marks.

This will load two providers into OpenVPN, use the certificate specified on pkcsid option, and use the management interface in order to query passwords. The daemon will resume into hold state on the event when token cannot be accessed. The token will be used for seconds after which the password will be re-queried, session will disconnect if management session disconnects.

PKCS 11 is a free, cross-platform vendor independent standard. Most smart card vendors provide support for both interfaces. In the Windows environment, the user should select which interface to use. If you wish to run OpenVPN in an administrative environment using a service, the implementation will not work with most smart cards because of the following reasons:. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing.

While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:. Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.

This command assumes that the VPN subnet is This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. Any address which is reachable from clients may be used as the DNS server address. Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Here are some typical gotchas to be aware of:. For more information on the mechanics of the redirect-gateway directive, see the manual page.

While OpenVPN clients can easily access the server via a dynamic IP address without any special configuration, things get more interesting when the server itself is on a dynamic address. While OpenVPN has no trouble handling the situation of a dynamic server, some extra configuration is required. The first step is to get a dynamic DNS address which can be configured to "follow" the server every time the server's IP address changes.

There are several dynamic DNS service providers available, such as dyndns. The next step is to set up a mechanism so that every time the server's IP address changes, the dynamic DNS name will be quickly updated with the new IP address, allowing clients to find the server at its new IP address. There are two basic ways to accomplish this:. The OpenVPN client by default will sense when the server's IP address has changed, if the client configuration is using a remote directive which references a dynamic DNS name.

The usual chain of events is that a the OpenVPN client fails to receive timely keepalive messages from the server's old IP address, triggering a restart, and b the restart causes the DNS name in the remote directive to be re-resolved, allowing the client to reconnect to the server at its new IP address.

So add the following to both client and server configurations:. Next, add the http-proxy directive to the client configuration file see the manual page for a full description of this directive. Add this to the client config:. If you would instead like to place these credentials in a file, replace stdin with a filename, and place the username on line 1 of this file and the password on line 2. This example is intended show how OpenVPN clients can connect to a Samba share over a routed dev tun tunnel.

If you are ethernet bridging dev tap , you probably don't need to follow these instructions, as OpenVPN clients should see server-side machines in their network neighborhood. If the Samba and OpenVPN servers are running on different machines, make sure you've followed the section on expanding the scope of the VPN to include additional machines.

Next, edit your Samba configuration file smb. Make sure the hosts allow directive will permit OpenVPN clients coming from the If you are running the Samba and OpenVPN servers on the same machine, you may want to edit the interfaces directive in the smb. The OpenVPN client configuration can refer to multiple servers for load balancing and failover. If an existing connection is broken, the OpenVPN client will retry the most recently connected server, and if that fails, will move on to the next server in the list.

You can also direct the OpenVPN client to randomize its server list on startup, so that the client load will be probabilistically spread across the server pool. The 60 parameter tells the OpenVPN client to try resolving each remote DNS name for 60 seconds before moving on to the next server in the list. The server list can also refer to multiple OpenVPN server daemons running on the same machine, each listening for connections on a different port, for example:. If your servers are multi-processor machines, running multiple OpenVPN daemons on each server can be advantageous from a performance standpoint.

OpenVPN also supports the remote directive referring to a DNS name which has multiple A records in the zone configuration for the domain. In this case, the OpenVPN client will randomly choose one of the A records every time the domain is resolved.

One of the often-repeated maxims of network security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. To get routing set up properly on the server so that remote clients, when they connect, can reach more than just the server itself, you will need to enable IP forwarding.

This can be done by the following:. You also want to ensure that packets going back to the client system are routed properly. This can be done by changing the route on the gateway of the server's network to route packets to the client network How this is done largely depends on the operating system of the gateway.

Once this is done, you should be able to ping any machine on the server's LAN from the client, and be able to ping the client from any machine on the server's LAN. For instance, from a machine on the server LAN not the server:.

The setting up of OpenVPN clients will be the subject of two tips in the next week. I've made the assumption that the client is correctly configured here, simply to illustrate how it should look when it all works together, but in the next parts of this series we will get into more depth with the client configuration.

He has been writing about and developing on Linux for over 10 years and is a veteran Mac user. Can Russian hackers be stopped? Here's why it might take 20 years.

How driverless cars, hyperloop, and drones will change our travel plans. How labs in space could pave the way for healthcare breakthroughs on Earth. We deliver the top business tech news stories about the companies, the people, and the products revolutionizing the planet. Our editors highlight the TechRepublic articles, galleries, and videos that you absolutely cannot miss to stay current on the latest IT news, innovations, and tips.

My Profile Log Out. Free Newsletters, In your Inbox.

Table of contents